Search form

Last month, the Department of Homeland Security issued a Binding Operational Directive (BOD) to identify and remove all products and services supplied by AO Kaspersky Lab from Federal agencies. According to DHS, “this action is based on the information security risks presented by the use of Kaspersky products on federal information systems.”[i]

Given the significant access and privilege this software requires to be installed, it could be used by state or non-state actors to compromise any information system. So this directive, though specific to Federal agencies, could have broader impact on other government departments, as well as Enterprises. Quickly identifying Kaspersky (or any unwelcome application) on your network, is a key first step to maintaining a healthy data center.

Big Monitoring Fabric is a Next-Generation packet and flow delivery platform that provides traffic to your network and security tools. The pervasive and tailored visibility it provides into the network is key to gaining situational awareness and remaining agile in the face of continually escalating and evolving threats.

Big Monitoring Fabric’s built-in Analytics module enables SecOps and NetOps to quickly identify users on the network using specific apps or services — with no need for external tools.

Here’s the one minute workflow to getting a list that you can execute counter measures against.

Step 1:

First, launch Big Monitoring Fabric’s Analytics GUI and select “Production Network” -> “DNS” from the menu. You’ll see the screen below, at which point, you’ll enter the following query into the search box and hit search:

qnamelist:*geo.kaspersky.com

Figure 1: Big Mon Analytic’s DNS Dashboard (histogram)

The query will generate relevant data on the DNS Dashboard in multiple (customizable) widgets. The topmost left widget in Figure 1 is showing the DNS clients for *geo.kaspersky.com.

Step 2:

To generate a tabular list of client IPs that can be exported to a .csv file, simply click on the bottom of the widget (on the up arrow).

Figure 2 shows a list of IP addresses fetching Kaspersky URLs.

Figure 2: Big Mon Analytic’s DNS Dashboard (list)

At the bottom of the widget, there are options to export the list, which you can then hand off to your team for remediation.

That’s it. No third party tools, no need for specialized filtering that would require specialized hardware (and extra costs). All the information you need is built into the Big Mon platform.